Simple hack unlocks card-protected doors

At the Defcon security conference in Las Vegas a hacker and Defcon staffer who goes by the name Zac Franken demonstratede how a small home-made device he calls Gecko can perform a classic man-in-the-middle attack on the type of access card readers used at office doors around the country. Gecko is simply a small, programmable PIC chip with a wire connector on either side. Once it's connected to the wires behind the card reader, it's not only trivial to use a 'Replay' card to get through the door. You can also disable the system so that nobody else can come in behind you.

What's more, making a Gecko is easy and cheap. Franken says the hardware costs about US$10.

According to Franken, the hack subverts the Wiegand protocol, commonly used for communication between the card reader and the back-end access control system, and doesn't take direct advantage of any problems with any of the hardware involved. When you swipe your card at the office, the reader very likely sends a signal using the Wiegand protocol to the control system, when then opens the doors.

"The problem is, this is what we call a plain-text protocol," Franken says. "There's nothing secure about it."

For many card readers, getting Gecko in place is just a matter of popping off the reader's cover with a knife or screwdriver and undoing two screws, he says. That provides access to the wires that carry the signal from the reader to the control system.

In a real-world situation you'd quickly cut the wires and insert one cut end into one side of the Gecko, and the other cut end into the Gecko's other side. In Franken's demonstration he used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader's cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it's supposed to. But when someone swipes an authorised card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a 'replay' card that tells Gecko to re-send that saved signal, and the doors unlock. What's more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.

The replay card isn't anything special, and could be any card. It's just one that Gecko knows about beforehand. When it sees that card's code – because the card reader passes it along – Gecko knows to send its saved signal in response.

The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognised replay card can unlock the door. Every other card, authorised or not, will fail.

With nobody else able to use that door, an invader would have plenty of time to steal data or work his mischief. Other, non-Gecko modified doors would continue to work, though. And the attacker can re-enable the system and turn everything back to normal by swiping a third 'enable' card.

Franken says you wouldn't need to add the device right behind the card reader. If you knew where the wires went through a wall panel or anywhere else in the building, you could splice it in there.

Distributor Directory

Vendor Directory

Featured

Slideshows

Reseller News welcomes industry figures for 2018 Hall of Fame lunch

Reseller News welcomed 2017 inductees - Andrew Allan; Justin Tye and Mark Baker - to the second running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem.

Microsoft outlines future of modern workplace at Elevate 2018 in Auckland

A host of customers and partners descended on Shed 10 as Microsoft unveiled the future of the modern workplace in Auckland. Delivered through interactive sessions and thought-leader speakers, the tech giant showcased leading industry technologies to outline a roadmap for future channel success in New Zealand.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.